diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml index 5db0841..260f346 100644 --- a/.github/workflows/ci-helm-lint-test.yml +++ b/.github/workflows/ci-helm-lint-test.yml @@ -84,3 +84,45 @@ jobs: ct install \ --target-branch ${{ github.event.repository.default_branch }} \ --helm-extra-set-args "--values ./charts/pixelfed/test-values/postgresql-plain.yaml" + + test_plain_minio: + name: Test chart plain with minio subchart + runs-on: ubuntu-latest + needs: lint + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: "0" + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Install Helm + uses: azure/setup-helm@v4 + + - name: Add dependency chart repos + run: | + helm repo add bitnami https://charts.bitnami.com/bitnami + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.7.0 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) + if [[ -n "$changed" ]]; then + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Create kind cluster + uses: helm/kind-action@v1.12.0 + if: steps.list-changed.outputs.changed == 'true' + + - name: Run chart-testing (install) + id: install + if: steps.list-changed.outputs.changed == 'true' + run: | + ct install \ + --target-branch ${{ github.event.repository.default_branch }} \ + --helm-extra-set-args "--values ./charts/pixelfed/test-values/minio-plain.yaml" diff --git a/charts/pixelfed/Chart.lock b/charts/pixelfed/Chart.lock index 09dbb6b..f991f2b 100644 --- a/charts/pixelfed/Chart.lock +++ b/charts/pixelfed/Chart.lock @@ -8,5 +8,8 @@ dependencies: - name: mariadb repository: oci://registry-1.docker.io/bitnamicharts version: 20.2.2 -digest: sha256:ab9c547cea93017a3a65f289e1573ee936a6925d3762200bb24d6e5dc512003c -generated: "2025-01-23T22:50:42.4566+01:00" +- name: minio + repository: oci://registry-1.docker.io/bitnamicharts + version: 14.10.5 +digest: sha256:7df7ad6adc934f88fc660a95c9e9dd342f7daf39e0351b84415d4d8e7608e7e6 +generated: "2025-01-23T20:17:44.237852195-06:00" diff --git a/charts/pixelfed/Chart.yaml b/charts/pixelfed/Chart.yaml index b50586f..a5e4149 100644 --- a/charts/pixelfed/Chart.yaml +++ b/charts/pixelfed/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.19.1 +version: 0.20.0 # This is the version number of the application being deployed. # renovate:image=ghcr.io/mattlqx/docker-pixelfed @@ -41,3 +41,8 @@ dependencies: version: 20.2.2 repository: oci://registry-1.docker.io/bitnamicharts condition: mariadb.enabled + + - name: minio + version: 14.10.5 + repository: oci://registry-1.docker.io/bitnamicharts + condition: minio.enabled diff --git a/charts/pixelfed/README.md b/charts/pixelfed/README.md index 16934d1..51c81d0 100644 --- a/charts/pixelfed/README.md +++ b/charts/pixelfed/README.md @@ -1,6 +1,6 @@ # Pixelfed Helm Chart -![Version: 0.19.1](https://img.shields.io/badge/Version-0.19.1-informational?style=flat-square) ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square) +![Version: 0.20.0](https://img.shields.io/badge/Version-0.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square) A Helm chart for deploying Pixelfed on Kubernetes @@ -96,6 +96,7 @@ These are all subcharts that you can choose to install, but you can also bring y | Repository | Name | Version | |------------|------|---------| | oci://registry-1.docker.io/bitnamicharts | mariadb | 20.2.2 | +| oci://registry-1.docker.io/bitnamicharts | minio | 14.10.5 | | oci://registry-1.docker.io/bitnamicharts | postgresql | 16.4.5 | | oci://registry-1.docker.io/bitnamicharts | valkey | 2.2.3 | @@ -182,12 +183,26 @@ persistence: | mariadb.auth.rootPassword | string | `"newRootPassword123"` | Password for the root user. Ignored if existing secret is provided. | | mariadb.auth.username | string | `"pixelfed"` | Name for a custom user to create | | mariadb.enabled | bool | `false` | enable mariadb subchart - currently experimental for this chart read more about the values: https://github.com/bitnami/charts/tree/main/bitnami/mariadb | +| minio.disableWebUI | bool | `true` | disable the minio web ui | +| minio.enabled | bool | `false` | enable the bundled [minio sub chart from Bitnami](https://github.com/bitnami/charts/blob/main/bitnami/minio/README.md#parameters). | +| minio.fullnameOverride | string | `"minio"` | | +| minio.global.storageClass | string | `""` | | +| minio.provisioning.buckets | list | `[{"name":"pixelfed"}]` | buckets to provision. Only one bucket is supported for auto configuration in this chart. | +| minio.provisioning.enabled | bool | `true` | enable the provisioning of minio buckets/policies/users during the deployment | +| minio.provisioning.extraCommands | list | `["mc anonymous set download provisioning/pixelfed"]` | commands to run after provisioning. | +| minio.provisioning.policies | list | `[{"name":"pixelfed-full","statements":[{"actions":["s3:*"],"effect":"Allow","resources":["arn:aws:s3:::pixelfed","arn:aws:s3:::pixelfed/*"]}]}]` | policies to provision. Only one policy is supported for auto configuration in this chart. | +| minio.provisioning.users | list | `[{"disabled":false,"password":"pixelfedMinio","policies":["pixelfed-full"],"setPolicies":true,"username":"minio-pf"}]` | users to provision. Only one user is supported for auto configuration in this chart. Should be changed to a random password. | +| minio.tls.autoGenerated | bool | `true` | | +| minio.tls.enabled | bool | `true` | | +| minio.tls.pixelfedInitContainer | object | `{"args":["apt update && apt install -y ca-certificates && update-ca-certificates && cp -r /etc/ssl/certs/* /cacert/"],"command":["/bin/sh","-c"],"image":"debian:latest","name":"add-minio-cert","securityContext":{"runAsGroup":0,"runAsUser":0},"volumeMounts":[{"mountPath":"/usr/local/share/ca-certificates/minio.crt","name":"minio-crt","readOnly":false,"subPath":"ca.crt"},{"mountPath":"/cacert","name":"cert-tmp","readOnly":false}]}` | use an init container to add the autogenerated minio certificate to the pixelfed container | +| minio.tls.pixelfedVolumeMounts | list | `[{"mountPath":"/etc/ssl/certs","name":"cert-tmp","readOnly":false}]` | mount the shared ca-certificates directory to the pixelfed container | +| minio.tls.pixelfedVolumes | list | `[{"name":"minio-crt","secret":{"secretName":"minio-crt"}},{"emptyDir":{},"name":"cert-tmp"}]` | mounts for the minio certificate and the temporary directory | | nameOverride | string | `""` | This is to override the chart name. | | nodeSelector | object | `{}` | put the pixelfed pod on a specific node/nodegroup | -| persistence.accessModes | list | `["ReadWriteOnce"]` | accessMode | +| persistence.accessModes | list | `["ReadWriteOnce"]` | accessMode. Should be set to '["ReadWriteMany"]' for seperate worker to be able to upload from local storage to S3 | | persistence.enabled | bool | `false` | enable persistence for the pixelfed pod | | persistence.existingClaim | string | `""` | using an existing PVC instead of creating one with this chart | -| persistence.storage | string | `"2Gi"` | size of the persistent volume claim to create. Tgnored if persistence.existingClaim is set | +| persistence.storage | string | `"2Gi"` | size of the persistent volume claim to create. Ignored if persistence.existingClaim is set | | persistence.storageClassName | string | `""` | storage class name | | phpConfigs | object | `{}` | PHP Configuration files Will be injected in /usr/local/etc/php-fpm.d | | pixelfed.account_deletion | bool | `true` | Enable account deletion (may be a requirement in some jurisdictions) | @@ -281,6 +296,7 @@ persistence: | pixelfed.pf.max_user_blocks | int | `50` | The max number of user blocks per account | | pixelfed.pf.max_user_mutes | int | `50` | The max number of user mutes per account | | pixelfed.pf.max_users | int | `1000` | Limit max user registrations | +| pixelfed.pf.media_fast_process | bool | `true` | Posts are published without waiting for media to be optimized/uploaded to S3. However, posts may be federated without S3 urls. | | pixelfed.pf.optimize_images | bool | `true` | Enable image optimization | | pixelfed.pf.optimize_videos | bool | `true` | Enable video optimization | | pixelfed.s3.access_key_id | string | `""` | s3 access_key_id. ignored if s3.existingSecretKeys.access_key_id is set | @@ -295,6 +311,7 @@ persistence: | pixelfed.s3.secret_access_key | string | `""` | s3 secret_access_key. ignored if s3.existingSecretKeys.secret_access_key is set | | pixelfed.s3.url | string | `""` | s3 url including protocol such as https://s3.domain.com | | pixelfed.s3.use_path_style_endpoint | bool | `false` | use S3 path type instead of using a DNS subdomain | +| pixelfed.s3.visibility | string | `"public"` | visibility of the bucket | | pixelfed.session_domain | string | `""` | domain of session? | | pixelfed.stories_enabled | bool | `false` | Enable the Stories feature | | pixelfed.timezone | string | `"europe/amsterdam"` | timezone for docker container | diff --git a/charts/pixelfed/charts/minio-14.10.5.tgz b/charts/pixelfed/charts/minio-14.10.5.tgz new file mode 100644 index 0000000..3bb59ba Binary files /dev/null and b/charts/pixelfed/charts/minio-14.10.5.tgz differ diff --git a/charts/pixelfed/templates/_helpers.tpl b/charts/pixelfed/templates/_helpers.tpl index a33efae..da09632 100644 --- a/charts/pixelfed/templates/_helpers.tpl +++ b/charts/pixelfed/templates/_helpers.tpl @@ -67,3 +67,56 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Ensure minio password is set appropriately +*/}} +{{- if .Values.minio.enabled }} + {{- if or (len (index .Values.minio.provisioning.users 0 "password") lt 8) (len (index .Values.minio.provisioning.users 0 "password") gt 40) }} + {{- fail "pixelfed minio default user password not set. Set with --set minio.provisioning.users[0].password=..." }} + {{- end }} +{{- end }} + +{{/* +Helper variable to check if autogenerated minio cert are enabled. +*/}} +{{- define "pixelfed.minio.autogeneratedTls" -}} +{{- if and .Values.minio.tls.enabled .Values.minio.tls.autoGenerated }} +true +{{- else }} +false +{{- end }} +{{- end }} + +{{/* +Merge extraInitContainers with any expected ones from the minio subchart. +*/}} +{{- define "pixelfed.mergedInitContainers" -}} +{{- $mergedInitContainers := .Values.extraInitContainers }} +{{- if eq (include "pixelfed.minio.autogeneratedTls" .) "true" }} +{{- $mergedInitContainers = append $mergedInitContainers .Values.minio.tls.pixelfedInitContainer }} +{{- end }} +{{- toYaml $mergedInitContainers }} +{{- end }} + +{{/* +Merge extraVolumes with any expected ones from the minio subchart. +*/}} +{{- define "pixelfed.mergedVolumes" -}} +{{- $mergedVolumes := .Values.extraVolumes }} +{{- if eq (include "pixelfed.minio.autogeneratedTls" .) "true" }} +{{- $mergedVolumes = concat $mergedVolumes .Values.minio.tls.pixelfedVolumes }} +{{- end }} +{{- toYaml $mergedVolumes }} +{{- end }} + +{{/* +Merge extraVolumeMounts with any expected ones from the minio subchart. +*/}} +{{- define "pixelfed.mergedVolumeMounts" -}} +{{- $mergedVolumeMounts := .Values.extraVolumeMounts }} +{{- if eq (include "pixelfed.minio.autogeneratedTls" .) "true" }} +{{- $mergedVolumeMounts = concat $mergedVolumeMounts .Values.minio.tls.pixelfedVolumeMounts }} +{{- end }} +{{- toYaml $mergedVolumeMounts }} +{{- end }} \ No newline at end of file diff --git a/charts/pixelfed/templates/configmap_env.yaml b/charts/pixelfed/templates/configmap_env.yaml index f3e6e7c..a2245f2 100644 --- a/charts/pixelfed/templates/configmap_env.yaml +++ b/charts/pixelfed/templates/configmap_env.yaml @@ -120,6 +120,23 @@ data: MAIL_FROM_ADDRESS: "{{ .Values.pixelfed.mail.from_address }}" MAIL_FROM_NAME: "{{ .Values.pixelfed.mail.from_name }}" + # s3 + AWS_VISIBILITY: {{ .Values.pixelfed.s3.visibility | quote }} + {{- if not .Values.minio.enabled }} + AWS_DEFAULT_REGION: {{ .Values.pixelfed.s3.region | quote }} + AWS_BUCKET: {{ .Values.pixelfed.s3.bucket | quote }} + AWS_USE_PATH_STYLE_ENDPOINT: {{ .Values.pixelfed.s3.use_path_style_endpoint | quote }} + {{- else }} + # when minio is enabled + {{- if .Values.pixelfed.s3.bucket }} + AWS_BUCKET: {{ .Values.pixelfed.s3.bucket | quote }} + {{- else if .Values.minio.provisioning.enabled }} + AWS_BUCKET: {{ index .Values.minio.provisioning.buckets 0 "name" | quote }} + {{- end }} + AWS_DEFAULT_REGION: "us-east-1" # unneeded for minio, but required for s3 driver + AWS_USE_PATH_STYLE_ENDPOINT: "true" # expected for minio + {{- end }} + # database configuration DB_CONNECTION: {{ .Values.pixelfed.db.connection }} DB_APPLY_NEW_MIGRATIONS_AUTOMATICALLY: "{{ .Values.pixelfed.db.apply_new_migrations_automatically }}" diff --git a/charts/pixelfed/templates/deployment.yaml b/charts/pixelfed/templates/deployment.yaml index 6dc4154..25e274a 100644 --- a/charts/pixelfed/templates/deployment.yaml +++ b/charts/pixelfed/templates/deployment.yaml @@ -37,9 +37,11 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.extraInitContainers }} + {{- with (include "pixelfed.mergedInitContainers" .) }} + {{- if len . | gt 0 }} initContainers: - {{- toYaml . | nindent 8 }} + {{- . | nindent 8 }} + {{- end }} {{- end }} containers: {{- with .Values.extraContainers }} @@ -173,6 +175,50 @@ spec: key: password {{- end }} + # s3 + {{- if or (.Values.pixelfed.s3.existingSecret) (and .Values.minio.enabled .Values.minio.provisioning.enabled) }} + - name: AWS_URL + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.s3.existingSecret }} + name: {{ .Values.pixelfed.s3.existingSecret }} + key: {{ .Values.pixelfed.s3.existingSecretKeys.url }} + {{- else }} + name: {{ include "pixelfed.fullname" . }}-s3 + key: url + {{- end }} + - name: AWS_ENDPOINT + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.s3.existingSecret }} + name: {{ .Values.pixelfed.s3.existingSecret }} + key: {{ .Values.pixelfed.s3.existingSecretKeys.endpoint }} + {{- else }} + name: {{ include "pixelfed.fullname" . }}-s3 + key: endpoint + {{- end }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.s3.existingSecret }} + name: {{ .Values.pixelfed.s3.existingSecret }} + key: {{ .Values.pixelfed.s3.existingSecretKeys.access_key_id }} + {{- else }} + name: {{ include "pixelfed.fullname" . }}-s3 + key: access_key_id + {{- end }} + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.s3.existingSecret }} + name: {{ .Values.pixelfed.s3.existingSecret }} + key: {{ .Values.pixelfed.s3.existingSecretKeys.secret_access_key }} + {{- else }} + name: {{ include "pixelfed.fullname" . }}-s3 + key: secret_access_key + {{- end }} + {{- end }} + # database configuration {{- if .Values.externalDatabase.enabled }} - name: DB_HOST @@ -259,10 +305,10 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} - {{- if or .Values.extraVolumeMounts .Values.phpConfigs .Values.persistence.enabled }} + {{- if or (len (include "pixelfed.mergedVolumeMounts" .) | gt 0) .Values.phpConfigs .Values.persistence.enabled }} volumeMounts: - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} + {{- with (include "pixelfed.mergedVolumeMounts" .) }} + {{- . | nindent 12 }} {{- end }} {{- range $key, $value := .Values.phpConfigs }} - name: phpconfig @@ -275,10 +321,10 @@ spec: {{- end }} {{- end }}{{/* end volumeMounts */}} - {{- if or .Values.phpConfigs .Values.extraVolumes .Values.persistence.enabled }} + {{- if or .Values.phpConfigs (len (include "pixelfed.mergedVolumes" .) | gt 0) .Values.persistence.enabled }} volumes: - {{- with .Values.extraVolumes }} - {{- toYaml . | nindent 8 }} + {{- with (include "pixelfed.mergedVolumes" .) }} + {{- . | nindent 8 }} {{- end }} {{- if .Values.persistence.enabled }} - name: storage diff --git a/charts/pixelfed/templates/deployment_backend.yaml b/charts/pixelfed/templates/deployment_backend.yaml index 292269e..fd483d8 100644 --- a/charts/pixelfed/templates/deployment_backend.yaml +++ b/charts/pixelfed/templates/deployment_backend.yaml @@ -39,9 +39,11 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.extraInitContainers }} + {{- with (include "pixelfed.mergedInitContainers" .) }} + {{- if len . | gt 0 }} initContainers: - {{- toYaml . | nindent 8 }} + {{- . | nindent 8 }} + {{- end }} {{- end }} containers: - name: {{ .Chart.Name }}-backend @@ -120,6 +122,49 @@ spec: key: valkey-password {{- end }} + # s3 + {{- if or (.Values.pixelfed.s3.existingSecret) (and .Values.minio.enabled .Values.minio.provisioning.enabled) }} + - name: AWS_URL + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.s3.existingSecret }} + name: {{ .Values.pixelfed.s3.existingSecret }} + key: {{ .Values.pixelfed.s3.existingSecretKeys.url }} + {{- else }} + name: {{ include "pixelfed.fullname" . }}-s3 + key: url + {{- end }} + - name: AWS_ENDPOINT + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.s3.existingSecret }} + name: {{ .Values.pixelfed.s3.existingSecret }} + key: {{ .Values.pixelfed.s3.existingSecretKeys.endpoint }} + {{- else }} + name: {{ include "pixelfed.fullname" . }}-s3 + key: endpoint + {{- end }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.s3.existingSecret }} + name: {{ .Values.pixelfed.s3.existingSecret }} + key: {{ .Values.pixelfed.s3.existingSecretKeys.access_key_id }} + {{- else }} + name: {{ include "pixelfed.fullname" . }}-s3 + key: access_key_id + {{- end }} + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.s3.existingSecret }} + name: {{ .Values.pixelfed.s3.existingSecret }} + key: {{ .Values.pixelfed.s3.existingSecretKeys.secret_access_key }} + {{- else }} + name: {{ include "pixelfed.fullname" . }}-s3 + key: secret_access_key + {{- end }} + {{- end }} # database configuration {{- if .Values.externalDatabase.enabled }} - name: DB_HOST @@ -196,10 +241,10 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} - {{- if or .Values.extraVolumeMounts .Values.phpConfigs }} + {{- if or (len (include "pixelfed.mergedVolumeMounts" .) | gt 0) .Values.phpConfigs .Values.persistence.enabled }} volumeMounts: - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} + {{- with (include "pixelfed.mergedVolumeMounts" .) }} + {{- . | nindent 12 }} {{- end }} {{- range $key, $value := .Values.phpConfigs }} - name: phpconfig @@ -208,10 +253,19 @@ spec: {{- end }} {{- end }}{{/* end volumeMounts */}} - {{- if or .Values.phpConfigs .Values.extraVolumes }} + {{- if or .Values.phpConfigs (len (include "pixelfed.mergedVolumes" .) | gt 0) .Values.persistence.enabled }} volumes: - {{- with .Values.extraVolumes }} - {{- toYaml . | nindent 8 }} + {{- with (include "pixelfed.mergedVolumes" .) }} + {{- . | nindent 8 }} + {{- end }} + {{- if .Values.persistence.enabled }} + - name: storage + persistentVolumeClaim: + {{- if .Values.persistence.existingClaim }} + claimName: {{ .Values.persistence.existingClaim }} + {{- else }} + claimName: {{ include "pixelfed.fullname" . }} + {{- end }} {{- end }} {{- if .Values.phpConfigs }} - name: phpconfig diff --git a/charts/pixelfed/templates/secret_s3.yaml b/charts/pixelfed/templates/secret_s3.yaml new file mode 100644 index 0000000..cd1abcc --- /dev/null +++ b/charts/pixelfed/templates/secret_s3.yaml @@ -0,0 +1,37 @@ +{{- if and (not .Values.pixelfed.s3.existingSecret) (and .Values.minio.enabled .Values.minio.provisioning.enabled) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "pixelfed.fullname" . }}-s3 +data: + {{- if .Values.pixelfed.s3.url }} + url: {{ .Values.pixelfed.s3.url | b64enc }} + {{- else if and .Values.minio.enabled .Values.minio.provisioning.enabled }} + url: {{ printf "https://%s:%v/%s" .Values.minio.fullnameOverride .Values.minio.service.ports.api (index .Values.minio.provisioning.buckets 0 "name") | b64enc }} + {{- end }} + + {{- if .Values.pixelfed.s3.endpoint }} + endpoint: {{ .Values.pixelfed.s3.endpoint | b64enc }} + {{- else if and .Values.minio.enabled .Values.minio.provisioning.enabled }} + endpoint: {{ printf "https://%s:%v" .Values.minio.fullnameOverride .Values.minio.service.ports.api | b64enc }} + {{- end }} + + {{- if .Values.pixelfed.s3.bucket }} + bucket: {{ .Values.pixelfed.s3.bucket | b64enc }} + {{- else if and .Values.minio.enabled .Values.minio.provisioning.enabled }} + bucket: {{ index .Values.minio.provisioning.buckets 0 "name" | b64enc }} + {{- end }} + + {{- if .Values.pixelfed.s3.access_key_id }} + access_key_id: {{ .Values.pixelfed.s3.access_key_id | b64enc }} + {{- else if and .Values.minio.enabled .Values.minio.provisioning.enabled }} + access_key_id: {{ index .Values.minio.provisioning.users 0 "username" | b64enc }} + {{- end }} + + {{- if .Values.pixelfed.s3.secret_access_key }} + secret_access_key: {{ .Values.pixelfed.s3.secret_access_key | b64enc }} + {{- else if and .Values.minio.enabled .Values.minio.provisioning.enabled }} + secret_access_key: {{ index .Values.minio.provisioning.users 0 "password" | b64enc }} + {{- end }} +{{- end }} diff --git a/charts/pixelfed/test-values/minio-plain.yaml b/charts/pixelfed/test-values/minio-plain.yaml new file mode 100644 index 0000000..d35821d --- /dev/null +++ b/charts/pixelfed/test-values/minio-plain.yaml @@ -0,0 +1,62 @@ +# This file is strictly for testing a base functionality of this chart +# it uses postgresql and valkey and provides credentials for them as well as mail + +pixelfed: + app: + domain: "example.com" + mail: + username: test + password: testing1234567 + horizon: + separate_deployment: false + pf: + enable_cloud: true + +valkey: + auth: + enabled: true + password: testing1234567 + primary: + replicaCount: 2 + disableCommands: + - FLUSHALL + persistence: + enabled: false + replica: + replicaCount: 0 + persistence: + enabled: false + +postgresql: + auth: + password: testing1234567 + postgresPassword: testing1234567 + username: pixelfed + database: pixelfed + +minio: + enabled: true + provisioning: + enabled: true + persistence: + enabled: false + +livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + httpGet: + path: /api/service/health-check + port: http + +readinessProbe: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + httpGet: + path: /api/service/health-check + port: http diff --git a/charts/pixelfed/values.yaml b/charts/pixelfed/values.yaml index 906729a..4d30bc5 100644 --- a/charts/pixelfed/values.yaml +++ b/charts/pixelfed/values.yaml @@ -292,6 +292,77 @@ postgresql: # error, set these (This often happens on setups like minikube) enabled: false +minio: + # -- enable the bundled [minio sub chart from Bitnami](https://github.com/bitnami/charts/blob/main/bitnami/minio/README.md#parameters). + enabled: false + fullnameOverride: "minio" + global: + storageClass: "" + + tls: + enabled: true + autoGenerated: true + # -- use an init container to add the autogenerated minio certificate to the pixelfed container + pixelfedInitContainer: + name: add-minio-cert + image: debian:latest + command: ["/bin/sh", "-c"] + args: ["apt update && apt install -y ca-certificates && update-ca-certificates && cp -r /etc/ssl/certs/* /cacert/"] + securityContext: + runAsUser: 0 + runAsGroup: 0 + volumeMounts: + - name: minio-crt + mountPath: /usr/local/share/ca-certificates/minio.crt + subPath: ca.crt + readOnly: false + - name: cert-tmp + mountPath: /cacert + readOnly: false + # -- mount the shared ca-certificates directory to the pixelfed container + pixelfedVolumeMounts: + - name: cert-tmp + mountPath: /etc/ssl/certs + readOnly: false + # -- mounts for the minio certificate and the temporary directory + pixelfedVolumes: + - name: minio-crt + secret: + secretName: minio-crt + - name: cert-tmp + emptyDir: {} + + # -- disable the minio web ui + disableWebUI: true + + provisioning: + # -- enable the provisioning of minio buckets/policies/users during the deployment + enabled: true + # -- buckets to provision. Only one bucket is supported for auto configuration in this chart. + buckets: + - name: pixelfed + # -- commands to run after provisioning. + extraCommands: + - "mc anonymous set download provisioning/pixelfed" + # -- policies to provision. Only one policy is supported for auto configuration in this chart. + policies: + - name: pixelfed-full + statements: + - resources: + - "arn:aws:s3:::pixelfed" + - "arn:aws:s3:::pixelfed/*" + effect: Allow + actions: + - "s3:*" + # -- users to provision. Only one user is supported for auto configuration in this chart. Should be changed to a random password. + users: + - username: minio-pf + password: "pixelfedMinio" + disabled: false + policies: + - pixelfed-full + setPolicies: true + # -- PHP Configuration files # Will be injected in /usr/local/etc/php-fpm.d phpConfigs: {} @@ -311,9 +382,9 @@ persistence: enabled: false # -- storage class name storageClassName: "" - # -- size of the persistent volume claim to create. Tgnored if persistence.existingClaim is set + # -- size of the persistent volume claim to create. Ignored if persistence.existingClaim is set storage: 2Gi - # -- accessMode + # -- accessMode. Should be set to '["ReadWriteMany"]' for seperate worker to be able to upload from local storage to S3 accessModes: - ReadWriteOnce # -- using an existing PVC instead of creating one with this chart @@ -518,6 +589,8 @@ pixelfed: max_domain_blocks: 50 # -- Enable S3/Object Storage enable_cloud: false + # -- Posts are published without waiting for media to be optimized/uploaded to S3. However, posts may be federated without S3 urls. + media_fast_process: true # -- Limit max user registrations max_users: 1000 # -- in KB @@ -585,7 +658,7 @@ pixelfed: # -- key in existing Kubernetes Secret for password. If set, ignores mail.password password: "" - # S3 Configuration (Required if .Values.pixelfed.pf.enable_cloud is true) + # S3 Configuration (Required if .Values.pixelfed.pf.enable_cloud is true and minio subchart is not enabled) s3: # -- s3 url including protocol such as https://s3.domain.com url: "" @@ -601,6 +674,8 @@ pixelfed: secret_access_key: "" # -- use S3 path type instead of using a DNS subdomain use_path_style_endpoint: false + # -- visibility of the bucket + visibility: public # -- name of an existing Kubernetes Secret for s3 credentials existingSecret: ""